caddy-l4 icon indicating copy to clipboard operation
caddy-l4 copied to clipboard
verified publisher icon mholt

Support for custom certificates in TLS handler

Open rcm-25 opened this issue 1 year ago • 4 comments

It would be nice to have the option to configure custom certificates for the L4 TLS handler via the Caddyfile as it is possible in Caddy with the tls <cert_file> <key_file> directive.

I would e.g. like to use it like this (in the context of docker compose):

{
    layer4 {
        127.0.0.1:8883 {
            route {
                tls my_cert.crt my_cert.key
                proxy <docker_container>:1883
            }
        }
    }
}

This feature request emerged from the discussion in Custom certificates for TLS termination in layer4 app

rcm-25 avatar Sep 05 '24 09:09 rcm-25

Good idea, (sort of, lol) -- we like automation around these parts. Why do you need manually-managed certs?

mholt avatar Sep 05 '24 14:09 mholt

In my use case, I use Caddy with the Layer4 module as a reverse proxy in an environment that may not have online access. I would therefore like to be able to specify my own certificate here.

rcm-25 avatar Sep 10 '24 09:09 rcm-25

@rcm-25 what is your solution on this? using automatic tls?

rizary avatar Jan 30 '25 06:01 rizary

@Rizary

Current solution/advice is to define a site-block for HTTPS if you rely on Caddyfile definition instead of JSON (which allows to manage certs differently). That will trigger cert provisioning, your site-block can have the abort directive if it shouldn't respond to HTTPS.

When you load a certificate from an external cert + key via the tls directive in a site block it'd also make it available to Caddy's cert store, which L4 tls sni ... can then match against for route (before it's own tls termination).

Since the current feature request here is about externally loading certs only, there is a bit of a disconnect from provisioning (via ACME provider or locally generated by Caddy). You could get tls internal, but there's no equivalent for the default ACME AFAIK? (granted that's only for auto_https I think)

Why do you need manually-managed certs?

I use manually managed certs sometimes for reproduction examples that work offline. Either via externally loaded certs like requested or tls internal. The flexibility helped me identify why a DNS client (kdig) was not compatible with tls internal.

I just add a regular site-block to get certs into Caddy for L4 to use. Little awkward but works, especially with wildcard certs this minimizes the effort.

polarathene avatar Apr 21 '25 07:04 polarathene